There are several ways that we can collect and obtain data from an iPhone or Apple mobile device. The first option is to have physical access to the device. Each model and version of iPhone, iPod, and iPad have different levels of support, but each can be obtained in some forensic fashion. The three levels of support are:
Logical – the collection of active information on the device.
File System – Collection of the device’s file structure and the folders and files within.
Physical – A full forensic image of the memory on the device.
You may look at these three levels of support and automatically want the physical collection, but if you have a newer iPhone like the 4S or the 5 this level of support is not currently available. The main reason is that Apple started using the new A5 chip. The decoding of this chip has not been developed yet.
Don’t worry, it’s not all doom and gloom for those with an iPhone 4S or iPhone 5. As long as the phone is not password protected, we can obtain a file system extraction of the device. iPhones, iPods, and iPads save the user and system data in database files. When obtaining a forensic file system extraction those DB (database) files are collected as well. Thus the ability to obtain deleted and active content from the device is possible with a forensic file system collection. Here is an example of the data that can be recovered from an iPhone.
This is only one example, and I have seen devices provide thousands of deleted and active content. The amount of data you can recover really depends on the user and how they used the device. If they did a factory restore, the data will most likely not be there. A factory restore does not mean we are done at the forensic lab. What do you do when an Apple iPhone, iPod, or iPad has been wiped? We access the computer for iTunes backups of the device. iTunes backup files can hold just as much, and sometimes more, data as the actually device. When a user syncs their phone to the computer and loads up music, movies, or pictures they are usually performing a backup as well. The backup files can be exported from the computer and loaded up into our cell phone forensic tools for analysis. Below is an example of an iTunes backup file opened in our forensic tool.
The value of the iTunes backup cannot be ignored. Whether you have a criminal, civil, or personal investigation involving Apple mobile products the device and the iTunes backup can be forensically examined.
Devices like the iPhone or iPad can be great resource for eDiscovery requests. These devices can be connected to an exchange server or a web mail client. Depending on the configuration the emails may reside on both the server end and the user (phone) end. When collecting emails and documents for a eDiscovery situation user devices should not be ignored. They can house emails and documents that are no longer on the server or users computer. As you can see from the screen shot above, this user had 3,943 emails on the device and of those emails 1,199 emails were deleted). These emails could make or break your case. These emails could also cause controversy if you do not collect them when ordered to. If your order is worded collect all email and documents related to the case, every device holding these items should be forensically collected.